Home Depot Seeks Eleventh Circuit Review in Banks' Data Breach Suit


HHR Advisories & Publications | Litigation, Arbitration and Investigations

Home Depot is seeking to appeal the denial of its motion to dismiss the data breach claims of numerous financial institutions. See Mem. in Supp. of Mot. to Certify Order at 2-3, In re The Home Depot, Inc., Customer Data Sec. Breach Litig., MDL No. 14-02583 (N.D. Ga. Jul. 5, 2016) (ECF No. 228-1). In 2014, Home Depot suffered a massive data breach that may have compromised up to 56 million credit and debit cards. Home Depot settled the claims brought by the cardholders, but it still faces the claims brought by the banks and credit unions that issued the payment cards. These financial institutions are seeking to recover the costs of reimbursing cardholders for fraudulent charges and preventing further fraud. Among other mitigation costs, the banks claim that they had to cancel a.nd reissue cards, investigate fraudulent charges, and monitor accounts for future fraud.

In moving to dismiss the banks' claims, Home Depot argued that the banks lacked standing to recover their mitigation costs because these costs were "willingly incurred" to prevent harm that might never happen. Home Depot argued that, since the threat of the future harm was speculative, the banks had not suffered actual or concrete injury. Mem. in Supp. of Mot. To Dismiss at 7-12, In re The Home Depot, Inc., Customer Data Sec. Breach Litig., MDL No. 14-02583 (N.D. Ga. Jul. 1, 2015) (ECF No. 114-1).

The MDL court rejected Home Depot's standing argument, finding that the banks had pled actual injury under Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013). Specifically, the court noted that the costs incurred by the banks were not "speculative" or "threatened future injuries," but "actual, current, monetary damages." Order at 10-11, In re The Home Depot, Inc., Customer Data Sec. Breach Litig., MDL No. 14-02583 (N.D. Ga. May 18, 2016) (ECF No. 211). Further, the court found that the banks had standing to recover any costs undertaken to avoid future harm because they were "reasonable mitigation costs due to a substantial risk of harm." Id. (citing Clapper, at 1150 n.5.)

On July 6, 2016, Home Depot moved for an order certifying an immediate interlocutory appeal to the Eleventh Circuit. Among other questions of law, Home Depot seeks to appeal "whether prophylactic measures taken to guard against losses that may never occur are sufficient to establish Article III standing." See Mem. in Supp. of Mot. for Interlocutory Appeal at 9-10, In re The Home Depot, Inc., Customer Data Sec. Breach Litig., MDL No. 14-02583 (N.D. Ga. July 5, 2016) (ECF No. 228-1). In its brief, Home Depot notes that this is a controlling question of law that, if decided in Home Depot's favor, would not just materially advance the litigation, but likely end it, since the banks have already been reimbursed for fraud loss under the card brands' settlement processes. Id.

Home Depot also argues that substantial grounds for disagreement exist with respect to the court's finding that the banks had standing. According to Home Depot, the MDL court was "the first court -- in the Eleventh Circuit or elsewhere -- to issue an order addressing the standing of financial institutions to assert claims arising out of a data breach." Id. at 2, 9. Home Depot acknowledges that numerous courts have addressed standing in consumer litigation, but argues that, even in the consumer context, this issue remains unsettled. Id. at 9-10.

If Home Depot is successful, a favorable decision from the Eleventh Circuit could have a significant impact on future data breach cases by financial institutions. The bulk of the damages in these cases usually stems from the banks' efforts to issue new cards and mitigate future harm. For example, in the 2014 Target data breach, an industry association estimated that $174 million of approximately $200 million in costs to banks was spent replacing compromised credit and debit cards. Press Release, Consumer Bankers Association, Cost of Target Data Breach Exceeds $200 Million (Feb. 18, 2014), available at http://consumerbankers.com/cba-media-center/media-releases/cost-target-data-breach-exceeds-200-million. If the Eleventh Circuit finds that banks lack standing to recover these costs, it may curtail future litigation and shift some of the costs of a data breach to the banks.